Application programming interfaces (APIs) have long served as the invisible backbone of online retail, allowing retailers to seamlessly integrate the complex web of e-commerce systems and orchestrating everything from payment processing to shipping logistics to inventory management. But this interconnectedness has also made the retail sector a lucrative target for threat actors. With a flood of 19 billion malicious API requests in 2023 alone, retailers have faced relentless attempts to exploit vulnerabilities in every link of the API chain, potentially leading to data theft, operational disruption, or financial damage.
Back-to-school season is peak season for threat actors. Retailers have recognized this for years and typically increase their security measures during peak shopping periods. However, this approach is no longer foolproof. Sophisticated attackers are launching “attack runs” earlier in the year to lay the groundwork for seasonal sales, effectively bypassing retailers’ security lock-downs.
Head of the CQ Prime Threat Research team at Cequence Security.
In the long term
In the past, cybercriminals preferred “smash and grab” methods: simple, opportunistic plans that targeted easily accessible vulnerabilities. Today, however, they are evolving, investing more time and resources in stealth and spreading their attacks over longer periods of time, trying to go unnoticed and do more damage at peak times.
Threat actors circumvent security restrictions by creating a large number of valid accounts via standard APIs early in the year. This calculated move aims to build trust and credibility in the market, encouraging more social sharing and wider reach well in advance of peak shopping season. Threat actors use sophisticated tools and automation to strengthen the legitimacy of the accounts and mimic normal user activities, including communicating with other accounts, liking content, and subscribing to services.
However, the scale of these operations often exceeds human capabilities and raises concerns. The resulting flood of activity displaces legitimate users and compromises the integrity of the business and its marketplace. This type of attack is an example of the careful planning and persistence of modern retail attacks.
Long-term strategy aside, threat actors often employ a real-time tactic: account takeovers (ATOs). Rather than spending time creating thousands of “legitimate” accounts, ATOs aim to take control of existing customer accounts, providing a much faster path to success. This threat is constant, but unsurprisingly, activity increases during peak shopping times, with a staggering 410x increase in ATOs in the second half of the year.
Bot attacks remain a threat
Another tried-and-true tactic on the digital battlefield of retail is the ever-evolving bot attacks. Remember the hype around concert tickets or the fleeting TikTok trends picked up by automated scripts? This is just the tip of the iceberg. The ease with which bots manipulate systems is alarming: Detailed Reddit threads, how-to guides, and even “top bot” rankings are proliferating across the internet. The numbers paint a grim picture: out of 154 billion API requests, a staggering 22 billion came from bots.
Here’s how these bot attacks work: Threat actors use tools and automation to flood the system with a large number of actions. They add large quantities of in-demand items to their shopping carts to dominate the market and prevent legitimate customers from purchasing. Successful attacks result in attackers reselling these items elsewhere at exorbitant markups, further increasing customer and seller frustration.
What can retailers do to prepare
The old model of tightening cybersecurity before major sales is no longer enough. With threat actors preparing well in advance, retailers must do the same. Developing a comprehensive, year-round security strategy is essential to effectively combat the rise in fake accounts and other threats during peak season.
Given the critical role of APIs in retail, organizations must fully understand their use and implement comprehensive defense strategies. Exposed and unmanaged APIs, or shadow APIs, are considered easy prey for threat actors using the “smash and grab” tactic. Visibility is paramount in the API security space. By carefully cataloging internal and external APIs, retailers can gain a comprehensive view of the entire attack surface, enabling them to enforce security standards across all APIs. This comprehensive visibility is critical to effectively defend against quick attacks and more insidious long-term maneuvers, protecting retail operations and building customer trust.
We list the best payment gateways.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we highlight the best and brightest minds in technology today. The views expressed here are those of the author and do not necessarily reflect those of TechRadarPro or Future plc. If you are interested in contributing, you can find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro